CVE-2026-45037 Overview
CVE-2026-45037 affects Tabby, a configurable cross-platform terminal emulator formerly known as Terminus. Versions prior to 1.0.232 pass any detected Uniform Resource Identifier (URI) from terminal output directly to the operating system's protocol handler. The terminal linkifier does not validate the protocol scheme before invocation. A malicious Secure Shell (SSH) or Telnet server can emit crafted terminal output containing dangerous URI schemes, which Tabby renders as clickable links. When a user clicks one of these links, the host OS launches the associated protocol handler, enabling abuse of registered handlers on the victim's machine. The flaw is categorized under [CWE-184] (Incomplete List of Disallowed Inputs) and is fixed in Tabby 1.0.232.
Critical Impact
A malicious remote shell server can trigger arbitrary OS protocol handlers on a connected user's workstation when the user clicks a crafted link rendered in the Tabby terminal.
Affected Products
- Tabby (formerly Terminus) terminal emulator
- All versions prior to 1.0.232
- Deployments connecting to untrusted SSH or Telnet servers
Discovery Timeline
- 2026-05-15 - CVE-2026-45037 published to the National Vulnerability Database (NVD)
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45037
Vulnerability Analysis
Tabby's terminal view includes a linkifier that scans rendered output for URI patterns and converts them into clickable hyperlinks. When a user clicks one of these hyperlinks, Tabby hands the URI to the operating system's default protocol handler dispatch mechanism. The linkifier accepts any scheme detected in the input stream and does not constrain dispatch to a safe allowlist such as http, https, or mailto. As a result, dangerous schemes such as file://, ms-msdt:, search-ms:, or custom application-registered handlers can be invoked from terminal output. The attack requires user interaction, since the victim must click the rendered link.
Root Cause
The root cause is incomplete input filtering on the URI scheme component. Tabby relies on pattern matching to identify candidate links but does not enforce a scheme allowlist before delegating the URI to the OS. CWE-184 describes this class of defect: a protection mechanism that filters some malicious inputs but fails to cover the complete set of dangerous values. Any URI scheme registered on the host system becomes reachable through clickable terminal output.
Attack Vector
An attacker controls or compromises an SSH or Telnet server that the victim connects to using Tabby. The server emits crafted bytes into the session output stream containing a URI with a dangerous scheme. Tabby renders the URI as a clickable link inside the terminal. When the victim clicks the link, the operating system invokes the matching protocol handler with attacker-supplied parameters. Depending on the registered handler, this can result in file access, application launch with attacker-controlled arguments, or chaining into other client-side vulnerabilities. The vulnerability manifests at the rendering boundary; see the GitHub Security Advisory GHSA-cmpc-v2x9-j9x9 for additional technical detail.
Detection Methods for CVE-2026-45037
Indicators of Compromise
- Tabby installations reporting a version string earlier than 1.0.232
- SSH or Telnet session logs containing unexpected URI schemes such as file://, ms-msdt:, search-ms:, or custom application schemes embedded in server banners or command output
- Process creation events showing a protocol handler binary spawned as a child of the Tabby process shortly after an SSH or Telnet session
Detection Strategies
- Inventory endpoints running Tabby and identify hosts on versions below 1.0.232 using software asset management tooling
- Monitor child processes of tabby.exe (Windows) or the Tabby binary on macOS and Linux for handlers like ms-msdt, mshta, rundll32, or other registered protocol launchers
- Inspect SSH and Telnet server logs and proxy captures for outbound terminal streams containing non-standard URI schemes
Monitoring Recommendations
- Alert on any process tree where Tabby spawns a protocol handler associated with code execution or local file access
- Correlate user-initiated SSH or Telnet sessions to untrusted destinations with subsequent protocol handler invocations on the same host
- Track endpoint telemetry for new or unusual URI scheme registrations that could be abused through this defect
How to Mitigate CVE-2026-45037
Immediate Actions Required
- Upgrade all Tabby installations to version 1.0.232 or later across managed endpoints
- Restrict SSH and Telnet connections to known, trusted servers until patching is complete
- Educate users to avoid clicking embedded links inside terminal output from untrusted sessions
Patch Information
Tabby 1.0.232 resolves CVE-2026-45037 by enforcing scheme validation in the terminal linkifier. Refer to the GitHub Security Advisory GHSA-cmpc-v2x9-j9x9 for vendor release notes and the corresponding commit references.
Workarounds
- Avoid connecting to untrusted SSH or Telnet servers with vulnerable Tabby builds
- Disable or unregister high-risk OS protocol handlers that are not required for business workflows
- Use an alternative terminal emulator with strict link scheme handling until patching is complete
# Verify the installed Tabby version on Linux/macOS
tabby --version
# Expected output should be 1.0.232 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
